DevCraft
100% Private — All processing happens locally in your browser.

JWT Decoder

Decode and inspect JWT tokens. All processing happens in your browser.

FreeNo SignupNo UploadsNo Tracking

JWT Decoder

Decode and inspect JSON Web Tokens. All processing happens in your browser.

JWT Token
Embed code
<iframe src="https://devally.dev/embed/jwt-decoder" width="100%" height="600" frameborder="0" title="JWT Decoder - devcraft"></iframe>
<p style="font-size:12px;text-align:center;margin-top:4px;">
  <a href="https://devally.dev/tools/jwt-decoder" target="_blank" rel="noopener">Powered by devcraft</a>
</p>
Attribution preview

Powered by devcraft

How to Use JWT Decoder

  1. 1

    Paste your JWT

    Paste a JWT token into the input field. The token is automatically split into its three parts.

  2. 2

    Inspect the decoded parts

    View the decoded header (blue), payload (purple), and signature (green) sections with pretty-printed JSON.

  3. 3

    Check standard claims

    See descriptions for standard claims like exp, iat, iss, sub, and aud with human-readable timestamps.

  4. 4

    Verify expiry status

    Instantly see whether the token is expired and a human-readable countdown of the time remaining or elapsed.

Frequently Asked Questions

No. All decoding happens entirely in your browser using JavaScript. Your token never leaves your machine.

This tool decodes and inspects JWTs but does not verify signatures, as that requires the signing secret or public key which should remain secure.

Any standard JWT with three Base64URL-encoded parts separated by dots (header.payload.signature).

Yes. If the payload contains an exp claim, the tool shows whether the token is expired and a human-readable countdown.

Related Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes

Base64 Encoder/Decoder

Encode and decode Base64 strings

UUID Generator

Generate random UUID v4 identifiers

Timestamp Converter

Convert Unix timestamps to human-readable dates

How JWTs Work in Authentication

A JWT (JSON Web Token) is a compact, URL-safe way to transmit claims between two parties. It has three parts separated by dots: a header (specifying the algorithm), a payload (containing claims like user ID and expiration), and a signature (proving the token was not tampered with). The header and payload are Base64URL-encoded JSON — not encrypted. Anyone can read them, which is why you should never put sensitive data like passwords in a JWT payload.

Common JWT Claims

iss (issuer) identifies who created the token. sub (subject) identifies the user. exp (expiration) is a Unix timestamp after which the token is invalid. iat (issued at) records when the token was created. aud (audience) specifies who the token is intended for. Short expiration times (15 minutes for access tokens) limit the damage window if a token is stolen — which is why refresh tokens exist to obtain new access tokens without re-authentication.

JWT Security Considerations

The most notorious JWT vulnerability is the "alg: none" attack, where an attacker modifies the header to specify no signature algorithm and removes the signature. Libraries that accept "none" as a valid algorithm will verify the tampered token. Always validate the algorithm server-side and reject "none." Another common mistake: storing JWTs in localStorage makes them accessible to any JavaScript on the page (XSS vulnerability). HttpOnly cookies are more secure for browser-based authentication.